Reputation: 2762
Password hashing at client browser
What's the best way to hash the user password at the client browser, before sending it to the web server, so that only the hash goes out, not the plain-text password?
EDIT: assuming HTTP is used (not HTTPS)
Upvotes: 6
Views: 3208
Answers (7)
Reputation: 20387
Why do we hash passwords? So that if the hashes are obtained they're difficult to use.
What happens in this model if the hashes in the system are exposed? The attacker simply sends them to the server and authenticates as the user.
This is why password hashing always happens on the server, not the client!
Upvotes: 1
Reputation: 269627
Why would you bother doing this? Effectively, the password hash has become the password and a a man-in-the-middle who intercepts the hash can use it to authenticate and perform any action as the user. On the other hand, if you don't believe in the man-in-the-middle, why not just send the password itself?
Upvotes: 1
Reputation: 102755
JavaScript side encryption like the jQuery Encryption library stops Eavesdroppers. However, MITM (Man-in-the-Middle) can still occur. SSL/TLS is the ultimate choice that is highly recommended to take unless you are on shared hosting (no dedicated IPs) or your site is receiving so much traffic that you can't simply encrypt all connections (JS, CSS, HTML, ...).
Upvotes: 1
Reputation: 25790
This site has quite comprehensive hashing/crypto stuff: JavaScript Encryption Library
Upvotes: 1
Reputation: 27811
Try using this jQuery encryption plugin. Out of curiosity, what's wrong with using SSL/HTTPS and encrypting at the server side?
Upvotes: 2
Reputation: 827178
Not all people have JavaScript enabled in their browsers and even the idea of sending hashes on a plain-text channel I think is not secure enough.
I would recommend you to consider a SSL secured connection.
Upvotes: 1
Reputation: 3323
Use javascript to calculate the hash. See this for an example on how to calculate SHA-1 hashes in JS.
Beware that if you make yourself dependant on Javascript, your system will fail as soon as someone has JS disabled. You should use HTTPS if this is a concern to you, which has its own setbacks (e.g. certificates cost money if you want them to be immediately accepted by browsers.)
Upvotes: 5
Related Questions
- Clientside password hashing
- Client side password hash versus plain text
- Does it make security sense to hash password on client end
- I STILL think hashing password on client side is better. Am I wrong?
- Is it safe for a starting page to check password hashed on clientside?
- How to correctly apply client side hashing of passwords?
- Salting passwords with client-side hash
- Client side 100% secure password POST
- Hashing password in javascript for user authentication
- Where to hash a password ( server || client )